Yet another vulnerability scanner?

There are many vulnerability scanners out there. So… why did I create another? Mainly for the ease of use. The majority of latest WannaCry, NoPetya (Petya, GoldenEye or whatever) victims, are not technical organizations and sometimes just small business who don’t have a security team, or even just an IT team to help them mitigate this. Running NMap, Metasploit (not to mention more commercial products) is something they will never do. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.

Notes

This is a free tool provided for your benefit & security. I don’t charge for it. It is here to help you and also to help me getting worldwide statistics. Learn more about it.

Tips

If you’re about to run it in your working environment, please update the IT/Security team in advance. You don’t want to cause (IDS/IPS/AV) false alarms

If vulnerable systems were found – please take a Windows update asap

For God’s sake, please disable SMBv1 already. Whether your systems are patched or not. This protocol was written over 3 decades ago…!

If you would like to enjoy the tool but disallow sending anonymous statistics (which is so uncool), disable access to my website

Final words

I really hope this can help people and organizations protecting against the next attack.

Post navigation

86 thoughts on “Eternal Blues”

Hi, thank you for providing such an easy method to check the local LAN. It would be great, however, if you could elaborate a little more in your blogpost on how exactly it checks for vulnerable systems.

On some cases, there was an issue with detection. Starting with version 0.0.0.5 (already uploaded) you will probably get the same results as with other tools. Please report if you don’t.
I’ll blog with some more details about it in a few hours.

I tried the latest version and its working fine. Thanks for fixing the issues. I had one other recommendation but saw someone else has already requested for it, running the scan on a different subnet without closing and re-launching the app.

One more request 🙂
Is it possible to schedule the scan using a script so that it scans the machines which were offline during the initial run and sends an email?
These are good to have features not necessarily needed, the tool you have made is serving its purpose. Thanks again.

Update: Symantec today warned about it with their heuristic scan. I submitted it as a false-positive. They analyzed it (in less than 40 minutes!!) and approved it as wrong detection. It’ll take them up to 24 hours to update their products.
Amazing service by Symantec.

Using version 0.0.0.3, the IP sub-net mask of the current PC is not computed correctly. For instance, on a /25 sub-net, the tool reports /24 and therefore generates probes to IP addresses outside the local infrastructure.

I do the scan wich work very well. Stupid question. The tool found 36 workstations with SMBV1 Enable but It’s say “NO (SMBv1 enabled), this mean that even if the workstation has the SMBv1 enable it is not exploitable? or just saying that in case of infection it can spread by this protocol?
Thanks in advance

Not a stupid question at all. It means these hosts are *not* vulnerable to the EternalBlue vulnerability.
However, SMBv1 is a very old protocol and likely to be exploited. So if possible, my recommendation will be to completely disable it.

I tried it on my network of 4 computers , Three of them are running Windows Ten and one Windows 7 I was surprised at the results all three of the Windows Ten and the Windows 7 had SMB 1 enabled but not vulnerable .

I could of swore that I read that Windows 10 disabled SMB 1 by default.

NOT what is wrong with SMBv1, but what is wrong with anything below MS’s latest Win10. All his improvements are only going into v3 even though v2 is still in support. Gee, I wonder why?

Wake up and smell the self-serving FUD. Best advice: don’t put MS computers directly on the net. MS’s networking was originally designed for a low threat environment. Better to put them behind a gateway running another OS (ex: linux or Bsd).

If MS wanted to demonstrate they were serious about security, and if SMBv3 is so much better, then they’d release it as a security update to v2 for Win7+8. Right now, it looks repetitious marketing about how bad the “last OS was” and “how much more secure our new OS is, so please update to our newest version”…

P.s. — tool doesn’t allow a rescan (wanted to boot another computer), but asks if user wants to exit when they try to exit.

The tool has no further function or use (since rescan is disabled), so why wouldn’t someone want to exit? Even if rescan were not disabled, why 2nd guess the user — an idea promulgated by MS from 20-25 years ago, that users expressed dislike for.

How can someone use a disliked popup dialog yet advise not using a liked protocol based on age?

FWIW — MS boxes shouldn’t be on the net. MS-networking products were designed for a trusted local network — not a hostile internet. Given that constraint — what’s wrong with SMBv1 (besides being slower)?

Hi, this tool is wonderfull.
I wonder how could I scan for certain IP addresses only (like from a txt file) instead of the full range of the company’s network? I only want to check for servers (around 1.400) spread around in hundreds of subnets.

Thank you!
It is not possible and not going to be since it opens a door for malicious actors automation. You know, bad actors usually won’t use a GUI-based app, but a one that can be automated.
However, I recommend on cloning the EXE to different folders, then run it multiple times (simultaneously) on different ranges.

The tool is very great, it help me monitor the network machine has not updated this vulnerability. However, the tool has a weakness that is, if i want to scan again, then i must to exit the program and then run exe again. So inconvenient!
Thanks!

I had an older machine on our network (Win Server 2003) that I was sure was patched. Testing with this software it said it was vulnerable. Everything else on our network showed ok (or that smbv1 exists but not vulnerable).

I thought the test was incorrect for that one old machine. Elad was very helpful and guided me though other tests. Amazing support considering the tool is free!

We determined in the end that our patching had not worked and the machine was indeed vulnerable (by using a local check tool). Reapplied the specific MS patch, rebooted, and then both tools (local + this one) showed it no longer vulnerable!

Thanks Elad for bearing with us and ensuring we really did check the machine. All good now.

Elad, thanks for the tool. I think it’s awesome. That being said, I’ve got a couple of comments.

1. It does not seem to reach all the computers on my network (just a small home network). I can ping all the computers in question. The ones that it does not seem to reach are either laptops on WiFi or they are a bit far away (physically) with two or three switches between. The tool just says “no response.” I have to run them on those machines to run the tool. One machine, a laptop running Win 7 Pro, still won’t provide anything other than “no response.” Weird. Perhaps the tool is timing out too quickly?

2. Regarding SMB v1 disabling, there’s the server side and the workstation side. I initially incorrectly did the workstation side on W7 computers so that only the server side was disabled, but that was enough for the tool to declare that SMB v1 was disabled. Is it only checking the server side?

As for timing out too quickly – there are some rare cases of (super) slow networks, which Eternal Blues timed out before getting a response. I’ve just increased the timeout with version 0.0.0.9. If you still think there are issues, please contact through email so we can pinpoint the problem.

As for disabling the SMBv1 server side – you actually did the right thing. ETERNALBLUE exploits the server side – cases where a host has the SMB port opened and it is listening (and accepting) SMBv1 messages from remote clients. Once again, you did the right thing.

Great tool, helped me analyze my network and shut down SMBv1 on all devices which don’t need it, thanks!

FYI, it was interesting how it interacted with Symantec Endpoint Protection on our workstations. I first had to disable Symantec on mine (the workstation I was running the scan tool from), then the ones that still had SMBv1 enabled, even though the were patched with the Microsoft patch, Symantec popped up on them that there was a MS17-010 vulnerability scan attack taking place and blocked my workstation from connecting to those workstations for 600 seconds (the default value for Symantec). So if I understand that behavior correctly Symantec should be able to protect my network from SMBv1-based attacks. But better to disable it entirely! 😉

Thanks for sharing 🙂
Well, I wouldn’t say Symantec protect you from (all) SMBv1-based attacks. It definitely do the job for EternalBlue-based attacks. The best will be just to disable SMBv1 completely.

thxs!
..i see lots of vers in a month…june-july..
then since 25 july no new vers ..why…?
and Avira tells about a trojan droppen virus even i click yr linked versions’ page..
and of course also if i dl yr tool..
why…??
cheers!

There are no new updates since the tool does its job well and all known bugs got fixed. Most of the feature requests were delivered long time ago.
As for Avira – according to Virus Total scan from moments ago – it appears clean. Please email me your Avira version and exact user flow so I’ll report them (once again).

Wondering if there’s a bug in the tool or in Synology’s firmware. On my Synology NAS devices I have disabled SMB1 and set SMB2 at the minimum. Synology tech support verified this on the latest firmware. But EternalBlues scanner still shows it as responding to SMB1. Could there be a bug in the tool? Or perhaps somehow they still initially respond to SMB1 but don’t process the data? What results have you seen on non-Microsoft embedded devices? Screenshot: https://imgur.com/a/vGl0Y

“…in DSM 6, we allow you change the minimum SMB version, which would fix this issue”

I haven’t tested it myself, but I’m pretty sure the issue is not with my scanner. Anyway, if you’re willing to verify this, I’ll be more than happy to assist. Just record the traffic (e.g. Wireshark) and email me the pcap file so I can verify this.